Coinbase confirms insider breach impacting nearly 70K users amid $20M extortion attempt

Coinbase confirms insider breach impacting nearly 70K users amid $20M extortion attempt

A large-scale extortion scheme targeting Coinbase users has exposed personal information of nearly 70,000 customers, the US-based cryptocurrency exchange confirmed in a data breach notification.

Coinbase revealed that the breach, which it attributed to insider misconduct at an overseas customer support center, occurred on December 26, 2024, but went undetected until May 11, 2025 — the day the attackers demanded a $20 million ransom in exchange for not releasing the stolen data.

Rather than pay the ransom, Coinbase has offered a $20 million reward for information leading to the identification and arrest of those behind the attack. The breach affected 69,461 users, with the compromised data reportedly fueling a months-long phishing campaign that netted tens of millions of dollars from targeted customers.

Taylor Monahan, head of security at MetaMask, disputed the timeline presented by Coinbase, suggesting that attackers had insider access for much longer than acknowledged.

“Threat actors had ongoing access via multiple insiders over a prolonged period of time,” Monahan wrote on X, citing a May 16 article by Cryptoforensic Investigators.

The investigative report alleged that hackers began using stolen information months before the official breach date, successfully targeting high-net-worth Coinbase users through coordinated phishing, social engineering, and vishing scams. One victim reportedly lost 400 BTC — valued at over $27 million — in a single incident.

Cryptoforensic Investigators estimate that the breach may have begun as far back as mid-2024, with attackers gaining increasing access and sophistication in targeting victims.


Back to the list

Latest Posts

Cyber Security Week in Review: June 6, 2025

Cyber Security Week in Review: June 6, 2025

In brief: a critical vBulletin bug is being exploited in the wild, new destructive PathWiper malware targets Ukraine, and more.
6 June 2025
New PathWiper malware targets critical infrastructure in Ukraine

New PathWiper malware targets critical infrastructure in Ukraine

PathWiper shares several characteristics with Sandworm's HermeticWiper, which was used in attacks against Ukraine in 2022.
5 June 2025
US seizes 145 domains linked to BidenCash carding forum

US seizes 145 domains linked to BidenCash carding forum

It is estimated that the operation generated more than $17 million in revenue since launching in March 2022.
5 June 2025